CISA recently advised U.S. business leaders to protect their companies from destructive malware that has been seen targeting Ukraine. This emphasizes the importance of having the right technologies in place. The automated detection and protection capabilities of the CrowdStrike Falcon platform protect customers from this malware, provide them with visibility into their environments and allow for intelligent monitoring of cloud resources.

On Jan. 18, 2022, researchers found a heap base buffer overflow flaw (CVE-2022-0185) in the Linux kernel (5.1-rc1+) function “legacy_parse_param” of filesystem context functionality, which allows an out-of-bounds write in kernel memory. Using this primitive, an unprivileged attacker can escalate its privilege to root, bypassing any Linux namespace restrictions.

Disruptive and destructive cyber operations have been levied against elements of Ukrainian society by adversaries attributed to the Russian government — or groups highly likely to be controlled by them — since at least 2014. These operations have impacted several sectors, including energy, transportation and state finance, and have attempted to influence political processes and affect businesses more broadly within the country.

Supply chain compromises are an increasing threat that impacts a range of sectors, with threat actors leveraging access to support several motivations including financial gain (such as with the Kaseya ransomware attack) and espionage. Throughout 2020, an operation attributed to the Foreign Intelligence Service of the Russian Federation (SVR) by the U.S.

Cryptocurrency mining has become very popular among malicious actors that aim to profit by exploiting cloud attack surfaces. Exposed Docker APIs have become a common target for cryptominers to mine various cryptocurrencies. According to the Google Threat Horizon report published Nov. 29, 2021, 86% of compromised Google Cloud instances were used to perform cryptocurrency mining.

Threat actors go to great lengths to hide the intentions of the malware they produce. For instance, binaries are often encrypted or packed. Typically, encrypting binaries is enough to thwart automated analysis platforms such as Cuckoo or other automated malware sandboxes. The implication is that automated detection of malicious programs might not be successful.

Today’s privacy and security conversations often happen in silos, but key privacy principles from decades ago remind us that they are intertwined, especially in the face of today’s risks. January 28, 2022, marks 15 years since the first Data Protection Day was proclaimed in Europe and 13 years since Data Privacy Day was first recognized by the United States. Since then, dozens more countries recognize the day, including Canada and Israel.

The large amounts of behavioral data being generated today necessitate accurate labels for machine learning classifiers. In an earlier blog post, Large-Scale Endpoint Security MOLD Remediation, we discussed how to remediate labeling noise. In this blog post, we experiment with an unsupervised approach that eliminates the need for learning from labeled data.

The results from the 2021 Global Security Attitude Survey paint a bleak picture of how organizations globally are feeling about the cybersecurity landscape before them. Organizations are grappling with shortages of cybersecurity skills and a lack of capability to detect and contain intrusions in a timely way.

Deloitte, a leader in managed security services, has launched MXDR by Deloitte — a Managed Extended Detection and Response suite of offerings — within which the CrowdStrike Falcon® platform will power a number of solutions. MXDR by Deloitte combines an integrated, composable and modular managed detection and response SaaS platform with managed security services in a unified offering of advanced, military-grade threat hunting, detection, response and remediation capabilities.

In an incident response investigation, CrowdStrike analysts use multiple data points to parse the facts of who, what, when and how. As part of that fact-finding mission, analysts investigating Windows systems leverage the Microsoft Protection Log (MPLog), a forensic artifact on Windows operating systems that offers a wealth of data to support forensic investigations. MPLog has proven to be beneficial in identifying process execution and file access on systems.

On Jan. 15, 2022, a set of malware dubbed WhisperGate was reported to have been deployed against Ukrainian targets. The incident is widely reported to contain three individual components deployed by the same adversary, including a malicious bootloader that corrupts detected local disks, a Discord-based downloader and a file wiper. The activity occurred at approximately the same time multiple websites belonging to the Ukrainian government were defaced.

Organizations need to stay ahead of the ever-evolving security landscape. It’s no secret that Zero Trust security is crucial for successful endpoint protection. Due to the rapid transition to a remote workforce and shift from the traditional data center into dynamic cloud infrastructure we’ve witnessed in the last year, more and more companies are finding the need to accelerate their digital transformation to keep pace with the expanding threat surface.

Malware targeting Linux-based operating systems, commonly deployed in Internet of Things (IoT) devices, have increased by 35% in 2021 compared to 2020, according to current CrowdStrike threat telemetry, with the top three malware families accounting for 22% of all Linux-based IoT malware in 2021.

Microsoft recently published two critical CVEs related to Active Directory (CVE-2021-42278 and CVE-2021-42287), which when combined by a malicious actor could lead to privilege escalation with a direct path to a compromised domain. In mid-December 2021, a public exploit that combined these two Microsoft Active Directory design flaws (referred also as “noPac”) was released.

During a recent client engagement for a tabletop exercise (TTX), it became apparent that the client did not have a methodology for tracking indicators and building an incident timeline. The CrowdStrike Services team wanted to provide more information to our client on how incidents can and should be tracked, but nothing was available in the public domain.

The TellYouThePass ransomware family was recently reported as a post-exploitation malicious payload used in conjunction with a remote code execution vulnerability in Apache Log4j library, dubbed Log4Shell. TellYouThePass was first reported in early 2019 as a financially motivated ransomware designed to encrypt files and demand payment for restoring them. Targeting both Windows and Linux systems, TellYouThePass ransomware re-emerged in mid-December 2021 along with other ransomware like Khonsari.

It should come as little surprise that when enterprise and IT leaders turned their attention to the cloud, so did attackers. Unfortunately, the security capabilities of enterprises have not always kept up with the threat landscape. Poor visibility, management challenges and misconfigurations combine with other security and compliance issues to make protecting cloud environments a complex endeavor.